mange.dynalias.org

The GAdminTools Project / Das GAdminTools Projekt - archive version

You are here: Blog / Linux / Squid acl howto – deny extensions

Squid acl howto – deny extensions

t’s a known issue, that users tend to overload the network by downloading movies, music, etc… so the admin would like to put the users into a chroot environment. Now this doesn’t gonna happen, since we can restrict some downloads using squid. The condition is an installed and configured squid.

This HOWTO is written for Squid version 2.5.3, since the configuration parameteres changed a bit. Now edit with your favourite editor (vim:) squid.conf, wherever it is located on your system. Let’s make a directory for the misc squid configuration files.

osiris:~# mkdir /etc/squidosiris:~# vim /etc/squid.conf

Here are the lines you have to put into your squid.conf configuration file:

# AUTH Parametersauth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwdauth_param basic children 5auth_param basic realm Put here some textauth_param basic credentialsttl 2 hours# ACL

acl local-network src 192.168.0.0/255.255.0.0

acl deny_ext urlpath_regex -i “/etc/squid/deny_ext”

acl password proxy_auth REQUIRED

# HTTP ACCESS

http_access allow deny_ext password

http_access allow local-network

Let me explain the configuration above. First we have to specify the authentification parameters. Then we can add some acl’s: We create a rule for the local-network source. The second acl points to the deny_ext file, where you will put your extensions to deny. The third acl is the proxy authentification rule, you can put usernames afterword or just ‘REQUIRED’ to no specific username. Finally we have to put these acl’s in the http_access list. Please notice, that the order is very important, since the request gets the first matching rule. So we have to put the deny rules at the beginning.

We have to create the password file:

osiris:~# htpasswd -c /etc/squid/passwd username

You have to confirm twice the password for the new user. Now lets put some extensions into our /etc/squid/deny_ext file:

\.exe$\.bat$\.com$\.vbs$\.ini$

\.dll$

\.mp3$

\.avi$

\.mpg$

\.mpeg$

\.asf$

\.wav$

\.ogg$

\.rm$

\.ram$

\.mov$[..]

We have to restart squid and it should work. Some good plugins for squid you can find on Sarg’s page, like password expire for authentification, etc…